Can't get a TLS certificate in cert-manager - ssl

So that is what I have and what I've done... pretty much following the latest documentation and some tutorials I came across:
Install the cert-manager namespace:
kubectl create namespace cert-manager
Install cert-manager:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.13.0/cert-manager.yaml
Verify installation... should be three running Pods and there are:
kubectl get pods --namespace cert-manager
Run test to make sure it is able to issue certificate types... passes.
Make an issuer.yaml:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: 'my#email.com'
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
Make a certificate.yaml:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: examplewebsite-com-tls
spec:
secretName: examplewebsite-com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: examplewebsite.com
dnsNames:
- test.examplewebsite.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.examplewebsite.com
Update ingress.yaml to reflect this:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
name: ingress-service
namespace: default
spec:
tls:
- hosts:
- test.examplewebsite.com"
secretName: examplewebsite-com
rules:
- host: test.examplewebsite.com
http:
paths:
- path: /?(.*)
backend:
serviceName: client-cluster-ip-service
servicePort: 3000
- path: /api/?(.*)
backend:
serviceName: api-cluster-ip-service
servicePort: 5000
Apply all of these and run into the following issues.
$ kubectl describe certificate examplewebsite-com-tls
Status:
Conditions:
Last Transition Time: 2020-01-28T23:52:45Z
Message: Waiting for CertificateRequest "examplewebsite-com-tls-2527238951" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Requested 117s cert-manager Created new CertificateRequest resource "examplewebsite-com-tls-2527238951"
And it just sits there indefinitely.
$ kubectl describe secret examplewebsite-com`
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 0 bytes
tls.key: 1675 bytes
DNS is setup properly because I can navigate to the website and see the application, HTTPS:// just doesn't work.
What am I doing wrong here?

The certification.yaml is not necessary at all.
Really, only needed this after following the installation instructions:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <email>
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: ingress
namespace: default
spec:
tls:
- hosts:
- test.domain.com
secretName: test-domain-com
rules:
- host: test.domain.com
http:
paths:
- path: /?(.*)
backend:
serviceName: client-cluster-ip-service
servicePort: 3000
- path: /api/?(.*)
backend:
serviceName: api-cluster-ip-service
servicePort: 5000
Very well written and current (as of 1/30/20) tutorial here:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

Related

Certificate not issued by clusterIssuer EKS

I have tried using jetstack/cert-manager to secure my application launched on EKS but I still see a Not Secure I am not sure what i missed. Here is what i have done
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: something#gmail.com
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
My manifest looks as follows
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress
spec:
replicas: 1
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: wordpress
image: wordpress:latest
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: wordpress
spec:
selector:
app: wordpress
ports:
- protocol: TCP
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wordpress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wordpress
port:
number: 80
tls:
- hosts:
- mydomain.com
secretName: letsencrypt-production
When i do
kubectl describe certificate letsencrypt-production
I dont see anything under events like Issued or Requested
Status:
Conditions:
Last Transition Time: 2022-12-22T06:04:30Z
Message: Certificate is up to date and has not expired
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Not After: 2023-03-21T11:04:22Z
Not Before: 2022-12-21T11:04:23Z
Renewal Time: 2023-02-19T11:04:22Z
Events: <none>
When i open my domain i see NET::ERR_CERT_AUTHORITY_INVALID
What did i miss any help ?
I can get it to work by creating a cluster-issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <my_email_id>
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
creating an ingress resource as follows.
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wordpress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: mydomain.com
http:
paths:
- backend:
service:
name: wordpress
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- mydomain.com
secretName: letsencrypt-production

Cert-Manager Kubernetes order stuck on Pending

Objects below, this worked fine getting a staging cert from Let's Encrypt, but now that I've cut over to prod it does not work and is hanging for >12hrs
The public IP is the correct one (I can navigate to it via https://website.gg and get the expected cert errors, same with ping etc.)
All subdomains are correctly routed to this same public/external IP
CertificateIssuer has been hanging for 12 hours and seems to have no chance to resolve.
Relevant objects:
Certificate:
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
creationTimestamp: "2022-01-21T06:01:42Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: mysecret-tls
namespace: mine
ownerReferences:
- apiVersion: extensions/v1beta1
blockOwnerDeletion: true
controller: true
kind: Ingress
name: mine-api-ingress
uid: fbbfdbac-5480-469e-8230-6d018d5ef151
resourceVersion: "11962900"
uid: 2710c043-7f95-4576-982f-03b702038105
spec:
dnsNames:
- website.gg
- '*.website.gg'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prod
secretName: mysecret-tls
status:
conditions:
- lastTransitionTime: "2022-01-21T06:01:42Z"
message: Waiting for CertificateRequest "mysecret-tls-3406177836" to complete
reason: InProgress
status: "False"
type: Ready
ClusterIssuer:
apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
annotations:
meta.helm.sh/release-name: mine-api
meta.helm.sh/release-namespace: default
creationTimestamp: "2022-01-17T03:43:44Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: letsencrypt-prod
resourceVersion: "10876278"
uid: 27b34bfe-16e7-4d51-9229-ad12abb52df6
spec:
acme:
email: myemail#email.com
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
status:
acme:
lastRegisteredEmail: myemail#email.com
uri: https://acme-v02.api.letsencrypt.org/acme/acct/367378310
conditions:
- lastTransitionTime: "2022-01-17T03:43:44Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
CertificateRequest:
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-prod
Status:
Conditions:
Last Transition Time: 2022-01-21T06:01:44Z
Message: Waiting on certificate issuance from order mine/mysecret-tls-3406177836-1310394537: "pending"
Reason: Pending
Status: False
Type: Ready
Events: <none>
Ingress:
...
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
...
spec:
rules:
- http:
paths:
- backend:
service:
name: mine-api-service
port:
number: 80
path: /api/(.*)
pathType: Prefix
- backend:
service:
name: mine-bot-service
port:
number: 80
path: /bot/(.*)
pathType: Prefix
- backend:
service:
name: mine-ui-service
port:
number: 80
path: /(.*)
pathType: Prefix
tls:
- hosts:
- website.gg
- '*.website.gg'
secretName: mysecret-tls
status:
loadBalancer:
ingress:
- hostname: a605c42f1adc44435bb1cab34ee9bf3a
ip: {my-public-ip}

why i get the error "backend - 404 error" when trying to deploy tls ingress in kubernetes with no errors on events

I'm trying to deploy a simple Ingress service and works when is Ingress without the Secure function(tls), but when I include the cert tls it always returns me "backend - 404 error"
I already installed "cert manager", "ingress-nginx" and already checked if this install is ok
EDIT: I explained all the steps I'm doing
EDIT2: I updated the cert-manager's version to v1.5.4
these were the steps:
1.- install nginx controller for my ip
helm install bitnami/nginx-ingress-controller --set controller.service.loadBalancerIP="[MY-STATIC-IP]",rbac.create=true --generate-name
2.- Apply deployment and service (app.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: taxisbahiadeploy
labels:
type: endpoints-app
spec:
replicas: 1
selector:
matchLabels:
app: taxisbahiadeploy
template:
metadata:
labels:
app: taxisbahiadeploy
spec:
containers:
- name: taxisbahiadeploy
image: gcr.io/google-samples/hello-app:1.0
imagePullPolicy: Always
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: taxisbahia
spec:
ports:
- port: 8080
targetPort: 8080
selector:
app: taxisbahiadeploy
3.- Configure let's encrypt
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.crds.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager \
--namespace cert-manager \
--version v1.5.4 \
jetstack/cert-manager
4- Apply the Issuer (issuer.yaml)
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: 'fco#ggggg.com'
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'fco#ggggg.com'
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
5.- Final Step, this is the Ingress where it fails (ingress-tls.yaml)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: esp-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- domain.com
secretName: esp-tls
rules:
- host: domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: taxisbahia
port:
number: 8080
i think your TLS domain part should be something like check your host
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
Reference : https://cert-manager.io/docs/tutorials/acme/ingress/
First of all make sure that you are actually visiting https://yourapp.com
Had the same issue but then I realized I was actually trying HTTP, which is no longer available after TLS is added.

Google Cloud - TLS certificate not ready (Kubernetes)

I'm trying to run TLS certificate on Google Cloud Engine to enable HTTPS on my domain. For some reason after inspecting the certificate in google I see that this is not ready though.
Here's my certification object:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: admin-panel-com-tls
spec:
secretName: api-tls-crt-secret
issuerRef:
name: letsencrypt-prod-admin-panel
kind: ClusterIssuer
commonName: admin-panel.staging.test.com
dnsNames:
- admin-panel.staging.test.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- admin-panel.staging.test.com
And my cert issuer object:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'test#email.com'
privateKeySecretRef:
name: letsencrypt-prod-admin-panel
http01: {}
My ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: admin-panel-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod-admin-panel
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- admin-panel.staging.test.com
secretName: api-tls-crt-secret
rules:
- host: admin-panel.staging.test.com
http:
paths:
- path: /.*
backend:
serviceName: admin-panel-service
servicePort: 3000
- path: /api/.*
backend:
serviceName: admin-panel-server-service
servicePort: 3001
- path: /auth/.*
backend:
serviceName: admin-panel-server-service
servicePort: 3001
What am I missing here?
Also after putting my dns to ingress config I'm getting: default backend - 404

kong-ingress-controller: Error with ingress in GKE

i have a big progres, now i'm generating the certificates with this ingress (using certmanager.k8s.io):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-http01-edit-in-place: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
configuration.konghq.com: sample-kong-ingress
kubectl.kubernetes.io/last-applied-configuration: |
{"a big json"}
kubernetes.io/ingress.class: nginx
kubernetes.io/ingress.global-static-ip-name: name-public-ip
generation: 14
name: name-ingress
namespace: default
resourceVersion: "11158958"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/name-ingress
spec:
backend:
serviceName: kong-proxy
servicePort: 8080
tls:
- hosts:
- www.a.host.com
secretName: a-name-to-secret-tls
status:
loadBalancer:
ingress:
- ip: XX.XXX.XXX.XXX
but, now i'm getting this error:
Reason: ingress default/name-ingress uses unsupported LBType
LoadBalancer for cloud provider
Maybe someone who uses GKE has some idea?
Thanks for your time in advance.